CN113904826A - Data transmission method, device, equipment and storage medium - Google Patents
Data transmission method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113904826A CN113904826A CN202111151014.XA CN202111151014A CN113904826A CN 113904826 A CN113904826 A CN 113904826A CN 202111151014 A CN202111151014 A CN 202111151014A CN 113904826 A CN113904826 A CN 113904826A
- Authority
- CN
- China
- Prior art keywords
- terminal
- knock
- port
- data
- data transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 75
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012795 verification Methods 0.000 claims abstract description 45
- 238000013475 authorization Methods 0.000 claims description 92
- 230000015654 memory Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a data transmission method, a device, equipment and a storage medium, wherein the method comprises the following steps: receiving a door knocking request of a terminal to a target port; carrying out first port knock verification on the terminal according to the knock request; when the terminal passes the first port knock verification, opening the target port, and receiving a data transmission request of the terminal to the target port; and carrying out second port knock check on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knock check. According to the method and the device, the firewall rules are dynamically changed only after the authorized terminal knock data packet is received, and the terminal is allowed to establish connection to the server, so that only the authorized terminal can normally access the server service, and the data access safety is improved.
Description
Technical Field
The present application relates to the field of information processing technologies, and in particular, to a data transmission method, apparatus, device, and storage medium.
Background
In a computer network, a server provides services to the outside through a port, however, once the port is exposed to the outside, an attacker scans the server to perform a series of attacks, such as DOS (denial of Service) attacks, so that the server cannot provide the services normally; for example, after an attacker scans the type of the service provided, the attacker performs known vulnerability attack on the type of service, but the server is difficult to keep the latest version all the time, and problems such as 0day vulnerability and the like exist, and the server with the directly exposed port is in huge potential safety hazard.
A common way to deal with the above problem is to use firewall rules, such as iptables (IP packet filtering system), to limit the accessible sources and destinations, but statically manage these rules, a task that is almost impossible and the management work is huge in the era of tele-offices and networks available everywhere today.
Disclosure of Invention
An object of the embodiments of the present application is to provide a data transmission method, apparatus, device, and storage medium, which dynamically change a firewall rule only after receiving an authorized terminal knock data packet, and allow the terminal to establish a connection to a server, so that only the authorized terminal can normally access a server service, thereby improving security of data access.
A first aspect of the embodiments of the present application provides a data transmission method, including: receiving a door knocking request of a terminal to a target port; carrying out first port knock verification on the terminal according to the knock request; when the terminal passes the first port knock verification, opening the target port, and receiving a data transmission request of the terminal to the target port; and carrying out second port knock check on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knock check.
In an embodiment, the performing, according to the knock request, a first port knock check on the terminal includes: extracting the knock data of the terminal to the target port from the knock request, wherein the knock data carries an authorization key identification of the terminal; and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the first port knock verification on the terminal according to the knock plaintext data.
In an embodiment, the performing, according to the data transmission request, a second port knock check on the terminal includes: extracting knock data of the terminal to the target port from the data transmission request, wherein the knock data carries an authorization key identification of the terminal; and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the second port knock verification on the terminal according to the knock plaintext data.
In an embodiment, the knock plaintext data includes unique identification information of the terminal; according to the knock plaintext data, the step of performing the port knock verification on the terminal comprises the following steps: and comparing the unique identification information with the authorization information of the terminal in the database, and determining that the terminal passes the port knock check when the unique identification information is the same as the authorization information of the terminal in the database, wherein the authorization information of the authorized terminal is prestored in the database.
In an embodiment, the knock plaintext data further includes a current random code generated by the terminal; after the comparing the unique identification information with the authorization information of the terminal in the database, the method further includes: when the unique identification information is the same as the authorization information of the terminal in the database, judging whether the current random code is the same as any one historical random code of the terminal; and when the current random code is different from any one past random code of the terminal, determining that the terminal passes the port knock check.
In an embodiment, after the comparing the unique identifier with the authorization information of the terminal in the database, the method further includes: and when the current random code is the same as any one historical random code of the terminal, determining that the terminal does not pass the port knock check.
A second aspect of the embodiments of the present application provides a data transmission apparatus, including: the first receiving module is used for receiving a knocking request of a terminal to a target port; the first door knocking module is used for carrying out first port door knocking verification on the terminal according to the door knocking request; the second receiving module is used for opening the target port and receiving a data transmission request of the terminal to the target port when the terminal passes the first port knock verification; and the second door knocking module is used for carrying out second port door knocking verification on the terminal according to the data transmission request and forwarding the data transmission request to a server through the target port when the terminal passes the second port door knocking verification.
In one embodiment, the first knock module is configured to: extracting the knock data of the terminal to the target port from the knock request, wherein the knock data carries an authorization key identification of the terminal; and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the first port knock verification on the terminal according to the knock plaintext data.
In one embodiment, the second knock module is configured to: extracting knock data of the terminal to the target port from the data transmission request, wherein the knock data carries an authorization key identification of the terminal; and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the second port knock verification on the terminal according to the knock plaintext data.
In an embodiment, the knock plaintext data includes unique identification information of the terminal; according to the knock plaintext data, the step of performing the port knock verification on the terminal comprises the following steps: and comparing the unique identification information with the authorization information of the terminal in the database, and determining that the terminal passes the port knock check when the unique identification information is the same as the authorization information of the terminal in the database, wherein the authorization information of the authorized terminal is prestored in the database.
In an embodiment, the knock plaintext data further includes a current random code generated by the terminal; after the comparing the unique identification information with the authorization information of the terminal in the database, the method further includes: when the unique identification information is the same as the authorization information of the terminal in the database, judging whether the current random code is the same as any one historical random code of the terminal; and when the current random code is different from any one past random code of the terminal, determining that the terminal passes the port knock check.
In an embodiment, after the comparing the unique identifier with the authorization information of the terminal in the database, the method further includes: and when the current random code is the same as any one historical random code of the terminal, determining that the terminal does not pass the port knock check.
A third aspect of embodiments of the present application provides an electronic device, including: a memory to store a computer program; a processor configured to execute the computer program to implement the method of the first aspect and any embodiment of the present application.
A fourth aspect of embodiments of the present application provides a non-transitory electronic device-readable storage medium, including: a program which, when run by an electronic device, causes the electronic device to perform the method of the first aspect of an embodiment of the present application and any embodiment thereof.
According to the data transmission method, the device, the equipment and the storage medium, the legality of a terminal knocking request is verified through first knocking full-check, the requested target port is opened when the knocking request is legal, second port knocking check is carried out on the terminal again when the data transmission request is carried out, and only if the two port knocking checks are passed, the client is allowed to request data from the server through the target port.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic view of a data transmission system according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 5A is a schematic structural diagram of knock data according to an embodiment of the present application;
FIG. 5B is a block diagram of clear SPA data according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data transmission device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 are connected by a bus 10. The memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 may perform all or part of the processes of the methods in the embodiments described below, so that only authorized terminals can normally access the server service, and the security of data access is improved.
In an embodiment, the electronic device 1 may be a gateway, a proxy device, a VPN (Virtual Private Network) server, a router, a mobile phone, a tablet computer, a notebook computer, a desktop computer, or a gateway server composed of multiple computers. Please refer to fig. 2, which is a schematic view of a scenario of a data transmission system according to an embodiment of the present application, and the scenario may mainly include: terminal 2, gateway device 3 and server 4, wherein:
the terminal 2 may be a mobile phone or a computer of a user, and the terminal 2 may be loaded with a client Application (APP) authorized by the gateway device 3, such as a VPN client, and the terminal 2 may access the gateway device 3 through the APP.
The server 4 may be a cloud server 4 or a local server 4, and the server 4 may provide data services for the terminal 2 through a port of the gateway device 3. There may be a plurality of servers 4, each server 4 may use a different port, and when the user terminal 2 accesses the server 4 through the gateway device 3, it needs to specify a target port to be accessed.
The gateway device 3 may be implemented by the electronic device 1, and the gateway device 3 may be connected to the terminal 2 and the server 4 in a wired or wireless manner, respectively, and is configured to monitor an access request of the terminal 2 to the server 4, and perform validity check on the request of the terminal 2, and only if the access request passes the check, the access to the server 4 through the target port is allowed, so that data security of the server 4 is improved.
In order to ensure the security of the server 4, in a practical scenario, the port of the gateway device 3 is not always open to the outside, but the port is hidden, that is, a firewall is set to discard all requests by default: to hide the ports, the firewall (for example, iptables, the same below) of the gateway device 3 needs to be configured to discard all requests by default, and not return any data to the probe, as if the gateway device 3 closed all ports.
Before the specific knock message is sent to the gateway device 3, the port of the gateway device 3 discards a connection from any address, and an attacker cannot scan the port, just as if the gateway device 3 does not provide any service, i.e., the effect of hiding the port is achieved. Therefore, if the terminal 2 needs to access the data service of the server 4, it first needs to send a knock request to the gateway device 3, and the gateway device 3 monitors the knock request of the terminal 2 to a certain destination port in real time. A port knock is the sending of a specific sequence of connection attempts, and if the sequence of attempts is considered legitimate by the gateway device 3, the gateway device 3 will allow (authorize) the client to initiate the connection. The gateway device 3 is thus present as a gateway, proxy device or VPN server, which may expose only one port to the outside (hidden by default), forwarding access to a plurality of service servers 4 by interaction of the terminal 2 and the gateway device 3. The terminal 2 can be unable to access the server 4 and is decided upon by the authorisation decision of the gateway device 3. Please refer to fig. 3, which is a data transmission method according to an embodiment of the present application, and the method may be executed by the electronic device 1 shown in fig. 1 as the gateway device 3, and may be applied in the data transmission scenario shown in fig. 2, so that only an authorized terminal 2 may normally access the service of the server 4, and the security of data access is improved. The method comprises the following steps:
step 301: a knock request of the terminal 2 to the destination port is received.
In this step, a Single Packet Authorization (SPA) port knock mode may be adopted, and a Single Packet authorized port knock, that is, only one knock Packet needs to be sent by the terminal 2, so that the knock effect can be achieved, and the problems of disorder and the like possibly existing in a plurality of knock packets are avoided. The single packet of data is encrypted and can only be initiated by the terminal 2 of a legitimate user. In addition, the connection data allowed to be initiated also includes the single packet authorization authentication data of the terminal 2, thereby further ensuring the validity of the terminal 2. To implement single packet authorization, a knock client (loaded on the terminal 2) and a knock server (i.e., the gateway device 3) are required, and the client may use a DTLS (data packet Transport Layer Security) protocol to add an extension to the ClientHello to generate a knock request including encrypted knock data and send the knock request to the gateway device 3 for port knock. Assuming that the terminal 2 is initiating a knock request to the target port 443 (configurable), the gateway device 3 can receive a knock request based on the DTLS protocol on the target port 443 using libpcap (network packet capture function packet).
Step 302: and carrying out first port knock verification on the terminal 2 according to the knock request.
In this step, when the port is checked for the first time, the port may be checked based on the knock data in the knock request based on the DTLS protocol on the target port 443 received in step 301, if the check passes, it indicates that the terminal 2 is a valid terminal 2 authorized by the gateway device 3, step 303 is entered, otherwise, it indicates that the terminal 2 is not authorized and may be an illegal attacker, and in order to protect data security, the data packet of the knock request is directly discarded without making any response, so as to achieve the purpose of hiding the target port, and avoid the attacker detecting the target port 443.
Step 303: and when the terminal 2 passes the first time of the port knock verification, opening the target port and receiving a data transmission request of the terminal 2 to the target port.
In this step, it is assumed that after the verification of the first time of the port knock data is successfully passed, the gateway device 3 does not perform any response to the first time, but initiates a dynamic modification of the firewall rule of the gateway device 3, so as to allow the terminal 2 to initiate a connection request to the port 443 for a short time, for example, a TCP (Transmission Control Protocol) connection from the terminal 2 to the port 443 may be established, and the gateway device 3 receives a data Transmission request from the terminal 2 to a target port in real time. The short time here means that a certain port opening time can be set, and the port is prevented from being exposed to the risk of being attacked by opening the port for a long time. At this time, although the knock is successful, the gateway device 3 does not return any data based on the knock request, and until the port knock packet is successfully received, the TCP port is not developed to the outside, so that the purpose of hiding the port is achieved.
Step 304: and carrying out second port knock verification on the terminal 2 according to the data transmission request, and forwarding the data transmission request to the server 4 through the target port when the terminal 2 passes the second port knock verification.
In this step, when a data transmission request of the terminal 2 to the target port is received, it is indicated that the terminal 2 has started to perform service data access to the server 4, and in an actual scenario, it is assumed that the authorized terminal 2 is in a local area network, and all devices in the local area network access external network data through a static IP, so that it is likely that after one terminal 2 in the local area network successfully knocks the gateway device 3, other terminal devices in the local area network also perform data access to the gateway device 3 through the same IP, which also threatens data security of the server 4. For example, the terminal 2A and the terminal 2B are both in a local area network, where the terminal 2A is a legal terminal authorized by the gateway device 3, and the terminal 2B is not authorized, and when the terminal 2A successfully knocks the target port 443, the terminal 2A is likely to be utilized by the terminal 2B, and the terminal 2B initiates a data transmission request to the gateway device 3 through the target port 443.
Therefore, in order to avoid other unauthorized terminal devices from within the same lan from performing illegal access to the server 4 by using the IP of the authorized terminal 2, the gateway device 3 may perform a second port knock check on the terminal 2 based on the data transmission request, that is, after the target port 443 is successfully knocked, the terminal 2 may concurrently initiate a service request to the server 4 system based on the client agent, the gateway device 3 monitors and processes the data transmission request on the target port 443, at this time, the verification of the port knock data is also performed based on the data transmission request, and after the second port knock check is passed, the gateway device 3 forwards the data transmission request of the previous service to the server 4 through the target port, so as to complete a data access of the terminal 2 to the server 4.
And if the second port check is not passed, the data transmission request of this time may not be initiated by an authorized terminal device. For example, the gateway device 3 may directly discard the data packet of the current data transmission request in order to protect the data security of the server 4, which is initiated by the terminal 2B in the above example. Only legal data connection is released, the range of the data connection which can be initiated is narrowed, and the terminal 2 which initiates the data connection is ensured to be authorized and authenticated by the gateway device 3.
In an embodiment, the data transmission request carries the knock data of the terminal 2, for example, a TLS (Transport Layer Security) Security Layer may be encapsulated outside the content requested by the terminal 2 to proxy the service data, and an extension is added to the ClientHello from the terminal 2 to send the encrypted knock data to the gateway device 3.
In an embodiment, the method may further include: process auditing, reporting and analyzing the port knocking process and data transmission: such as logging the running process of the whole system, for example, when and when the single packet authorization request is initiated by what IP. The time when the gateway device 3 opens and closes a particular port. Service forwarding information, etc., and reports audit data, and may perform data analysis, etc., on single packet authorization requests and service forwarding.
According to the data transmission method, port hiding is achieved based on a single-packet authorized port knock mode, before a specific knock message is transmitted to the gateway device 3, the port of the gateway device 3 discards connections from any address, an attacker cannot scan the port, and the effect of port hiding is achieved just as if the gateway device 3 does not provide any service. The gateway device 3 dynamically changes the iptables rule only after receiving the valid terminal 2 knock packet, and temporarily allows the terminal 2 to establish data connection to the gateway device 3, so that the valid terminal 2 normally accesses the service. Because the gateway device 3 does not respond to any connection attempt before receiving a legal knock packet, the problems of port scanning and DOS and vulnerability attacks caused by the port scanning are effectively solved, and the safety and the usability of the system are improved.
The legality of the terminal 2 knock request is verified through first knock full-check, when the knock request is legal, a requested target port is opened, second port knock check is performed on the terminal 2 again during data transmission request, and only if the two port knock checks are passed, the client is allowed to request data from the server 4 through the target port, so that the firewall rule is dynamically changed only after an authorized terminal 2 knock data packet is received, the terminal 2 is allowed to establish connection with the gateway device 3, the server 4 service can be normally accessed only by the authorized terminal 2, and the data access safety is improved.
Please refer to fig. 4, which is a data transmission method according to an embodiment of the present application, and the method may be executed by the electronic device 1 shown in fig. 1 as the gateway device 3, and may be applied in the data transmission scenario shown in fig. 2, so that only the authorized terminal 2 may normally access the service of the server 4, and the security of data access is improved. The method comprises the following steps:
step 401: a knock request of the terminal 2 to the destination port is received. See the description of step 301 in the above embodiments for details.
Step 402: and extracting the knock data of the terminal 2 to the target port from the knock request, wherein the knock data carries the authorization key identification of the terminal 2.
In this step, taking a port knock method authorized by a single packet as an example, the knock request may be a request packet including encrypted knock data generated by adding an extension to the ClientHello of the terminal 2. For example, the knock request includes pre-constructed specific SPA data (knock data), the gateway device 3 extracts the corresponding specific SPA data from the knock request, where the SPA data at least carries an authorization key identifier of the terminal 2, and the authorization key identifier may be information such as a name or a number of an authorization key, and has uniqueness for distinguishing differences from other keys. The authorization key is a key agreed by the gateway device 3 and the terminal 2 in advance, and the authorization key is shared by the gateway device 3 and the terminal 2, that is, the authorization key may be stored on the gateway device 3 and may be issued to an authorized user in advance by an administrator of the gateway device 3, and the user is introduced into the terminal 2. The SPA data does not directly carry the authorization key, so that the authorization key is prevented from being intercepted by an illegal terminal in the transmission process. The SPA data may be custom extended based on actual requirements, such as an extension number of 77, and may be modified according to the actual registered extension number.
In one embodiment, the SPA data structure as knock data may be as shown in fig. 5A, where:
version: the value may be 1, for example, in the case of only one version, and then the version number may be sequentially incremented if there is a new version.
The key name is as follows: it may take 36 bytes, that is, a length of UUID (Universally Unique Identifier), which indicates the authorization key of the terminal 2 that needs to be used for performing the port knock check.
Encrypting SPA data: the data length depends on the length of the plaintext SPA data, and is ciphertext data obtained by encrypting the plaintext SPA data, for example, data obtained by symmetric Encryption using AES (Advanced Encryption Standard).
Step 403: and decrypting the knock data by adopting the authorization key corresponding to the authorization key identifier to obtain knock plaintext data, and performing first port knock verification on the terminal 2 according to the knock plaintext data.
In this step, taking the above single packet authorization as an example, the knock data is encrypted SPA data, and the knock data carries an authorization key identifier of the terminal 2, so that a corresponding authorization key may be found from the gateway device 3 based on the authorization key identifier, the encrypted SPA data is decrypted by using the authorization key to obtain plaintext SPA data (i.e., the knock plaintext data), and then the terminal 2 is subjected to a first port knock verification based on the plaintext SPA data, if the verification passes, step 404 is performed, otherwise, the terminal 2 is not authorized, and may be an illegal attacker, and in order to protect data security, the data packet of the current knock request is directly discarded without any response, so as to achieve the purpose of hiding the target port.
In one embodiment, knock plaintext data may include unique identification information of terminal 2. In step 403, according to the knock plaintext data, the step of performing port knock verification on the terminal 2 includes: and comparing the unique identification information with the authorization information of the terminal 2 in the database, and determining that the terminal 2 passes the port knock check when the unique identification information is the same as the authorization information of the terminal 2 in the database, wherein the authorization information of the authorized terminal 2 is prestored in the database.
In this step, the unique identification information may be device ID information of the terminal 2, the authorization information of authorized terminals 2 is stored in the database, the authorization information at least includes device ID information of each authorized terminal 2, the gateway device 3 determines whether the terminal 2 is recorded in the database by comparing the device ID information in the knock plaintext data obtained in step 403 with the authorization information in the database, if yes, it is determined that the terminal 2 is authorized and belongs to a legal terminal 2, it is determined that the port knock check is passed, otherwise, it is determined that the database does not have the authorization information of the terminal 2, the terminal 2 is an illegal terminal 2, and the data packet knocked by the port is directly discarded.
In an embodiment, in an actual scenario, it is assumed that, after a valid terminal 2A successfully taps a port by using a valid tapped data packet Q, the data packet Q is likely to be intercepted by an illegal terminal 2B, and if the terminal 2B uses the data packet Q to maliciously attack a server 4, a serious loss is caused to the server 4. To avoid this, the knock plaintext data may further include a current random code generated by the terminal 2. After comparing the unique identification information with the authorization information of the terminal 2 in the database, step 403 may further include: and when the unique identification information is the same as the authorization information of the terminal 2 in the database, judging whether the current random code is the same as any one of the historical random codes of the terminal 2. And when the current random code is different from any one past random code of the terminal 2, determining that the terminal 2 passes the port knock check.
In an embodiment, after comparing the unique identifier with the authorization information of the terminal 2 in the database, step 403 further includes: and when the current random code is the same as any one past random code of the terminal 2, determining that the terminal 2 does not pass the port knock check.
The random code is used to prevent the same data packet from repeatedly performing the port knock operation within a period of time, so the past random code refers to the random code in the knock data from the terminal 2 received within a period of time, and the period of time may be set based on actual needs, for example, may be one month. That is, only the knock data containing the non-repeating random code in one month in the knock data from the legitimate terminal 2 can pass the port knock check, otherwise, the knock data with the repeating random code appearing in one month cannot pass the port knock check. The verification based on the random code can prevent the illegal terminal 2B from using the intercepted legal data packet Q to carry out port knock, and further improve the data security of the server 4.
In one embodiment, the plaintext SPA data may be as shown in fig. 5B, wherein each string field is separated by a semicolon, i.e., each field's own value cannot contain a semicolon. The specific explanations are as follows:
client version: namely, the version number of the client APP loaded in the terminal 2 may be in the format of x.y.z, and during the verification, the gateway device 3 performs matching check on the version of the client and the version in the knock data.
Message type: the type of the message is identified, and the message can be reserved for subsequent expansion, for example, the number may be 1, or a message type number may be filled based on actual requirements.
16 byte random string: i.e., random code, to prevent the same packet from repeating a port knock operation for a period of time.
Device ID: for checking whether the client device information initiating the request is in the database.
HMAC-SHA 256: the hash operation message authentication code related to the key is used by the gateway device 3 to perform HMAC-SHA256 cryptographic calculation on the data of the client version, the message type, the 16-byte random string, and the device ID shown in fig. 5B, so as to perform message integrity check on the gateway device 3, where the key used by the algorithm may be determined according to the authorized key name of the terminal 2 shown in fig. 5A.
Step 404: and when the terminal 2 passes the first time of the port knock verification, opening the target port and receiving a data transmission request of the terminal 2 to the target port. See the description of step 303 in the above embodiments for details.
Step 405: and extracting the knock data of the terminal 2 to the target port from the data transmission request, wherein the knock data carries the authorization key identification of the terminal 2.
In this step, after the first port knock check is passed, the target port is opened, the terminal 2 may establish a data connection with the gateway device 3 through the target port within a configured period of time, for example, establish a TPC connection, and the gateway device 3 monitors a data transmission request sent by the terminal 2 on the target port in real time, where the data transmission request carries knock data, where the knock data may be the same as the knock data in step 402, which may be referred to in detail as the description of the knock data in step 402. The gateway apparatus 3 first extracts knock data from the data transmission request.
Step 406: and decrypting the knock data by adopting the authorization key corresponding to the authorization key identifier to obtain knock plaintext data, and performing secondary port knock verification on the terminal 2 according to the knock plaintext data.
In this step, taking the above single-packet authorization as an example, the knock data is encrypted SPA data, and the knock data carries an authorization key identifier of the terminal 2, so that a corresponding authorization key may be found from the gateway device 3 based on the authorization key identifier, the encrypted SPA data is decrypted by using the authorization key to obtain plaintext SPA data (i.e., the knock plaintext data), and then, the terminal 2 is subjected to the second port knock verification based on the plaintext SPA data, if the verification passes, step 407 is entered, otherwise, if the second port verification fails, it is assumed that the second port verification does not pass, it is determined that the data transmission request of this time may not be initiated by the authorized terminal 2. For example, if the data transmission request is initiated by the unauthorized terminal 2B in the above example, the data packet of the current data transmission request may be directly discarded in order to protect the data security of the server 4. Only legal data connection is released, the range of the data connection which can be initiated is narrowed, and the terminal 2 which initiates the data connection is ensured to be authorized and authenticated by the gateway device 3.
The process of the second port knock check may be the same as the process of the first port knock check, and refer to step 403 and the detailed description of the port knock in the optional embodiment thereof for details, which are not described herein again.
Step 407: when the terminal 2 passes the second port knock check, the data transmission request is forwarded to the server 4 through the target port, and the port knock process and the data transmission process can be recorded. Reference is made in detail to the description of step 304 and alternative embodiments thereof in the above embodiments.
Please refer to fig. 6, which is a data transmission apparatus 600 according to an embodiment of the present application, and the apparatus can be applied to the electronic device 1 shown in fig. 1 and can be applied to the data transmission scenario in fig. 2, so that only an authorized terminal 2 can normally access the service of the server 4, thereby improving the security of data access. The device includes: first receiving module 601, first knocking module 602, second receiving module 603 and second knocking module 604, the principle relationship of each module is as follows:
the first receiving module 601 is configured to receive a knock request of the terminal 2 for the target port.
The first knock module 602 is configured to perform, according to the knock request, a first port knock check on the terminal 2.
The second receiving module 603 is configured to open the destination port when the terminal 2 passes the first port knock check, and receive a data transmission request from the terminal 2 to the destination port.
The second knock module 604 is configured to perform a second port knock check on the terminal 2 according to the data transmission request, and forward the data transmission request to the server 4 through the destination port when the terminal 2 passes the second port knock check.
In one embodiment, first knock module 602 is configured to: and extracting the knock data of the terminal 2 to the target port from the knock request, wherein the knock data carries the authorization key identification of the terminal 2. And decrypting the knock data by adopting the authorization key corresponding to the authorization key identifier to obtain knock plaintext data, and performing first port knock verification on the terminal 2 according to the knock plaintext data.
In one embodiment, the second knock module 604 is configured to: and extracting the knock data of the terminal 2 to the target port from the data transmission request, wherein the knock data carries the authorization key identification of the terminal 2. And decrypting the knock data by adopting the authorization key corresponding to the authorization key identifier to obtain knock plaintext data, and performing secondary port knock verification on the terminal 2 according to the knock plaintext data.
In one embodiment, the knock plaintext data includes unique identification information of the terminal 2. The step of performing port knock verification on the terminal 2 according to knock plaintext data includes: and comparing the unique identification information with the authorization information of the terminal 2 in the database, and determining that the terminal 2 passes the port knock check when the unique identification information is the same as the authorization information of the terminal 2 in the database, wherein the authorization information of the authorized terminal 2 is prestored in the database.
In an embodiment, the knock plaintext data further includes a current random code generated by the terminal 2. After comparing the unique identification information with the authorization information of the terminal 2 in the database, the method further includes: and when the unique identification information is the same as the authorization information of the terminal 2 in the database, judging whether the current random code is the same as any one of the historical random codes of the terminal 2. And when the current random code is different from any one past random code of the terminal 2, determining that the terminal 2 passes the port knock check.
In an embodiment, after comparing the unique identification information with the authorization information of the terminal 2 in the database, the method further includes: and when the current random code is the same as any one past random code of the terminal 2, determining that the terminal 2 does not pass the port knock check.
For a detailed description of the data transmission apparatus 600, please refer to the description of the related method steps in the above embodiments.
An embodiment of the present invention further provides a non-transitory electronic device readable storage medium, including: a program that, when run on an electronic device, causes the electronic device to perform all or part of the procedures of the methods in the above-described embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. A method of data transmission, comprising:
receiving a door knocking request of a terminal to a target port;
carrying out first port knock verification on the terminal according to the knock request;
when the terminal passes the first port knock verification, opening the target port, and receiving a data transmission request of the terminal to the target port;
and carrying out second port knock check on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knock check.
2. The method according to claim 1, wherein the performing a first port knock check on the terminal according to the knock request comprises:
extracting the knock data of the terminal to the target port from the knock request, wherein the knock data carries an authorization key identification of the terminal;
and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the first port knock verification on the terminal according to the knock plaintext data.
3. The method according to claim 1, wherein the performing a second port knock check on the terminal according to the data transmission request comprises:
extracting knock data of the terminal to the target port from the data transmission request, wherein the knock data carries an authorization key identification of the terminal;
and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the second port knock verification on the terminal according to the knock plaintext data.
4. The method according to claim 2 or 3, characterized in that the knock plaintext data comprises unique identification information of the terminal; according to the knock plaintext data, the step of performing the port knock verification on the terminal comprises the following steps:
and comparing the unique identification information with the authorization information of the terminal in the database, and determining that the terminal passes the port knock check when the unique identification information is the same as the authorization information of the terminal in the database, wherein the authorization information of the authorized terminal is prestored in the database.
5. The method according to claim 4, characterized in that the knock plaintext data further comprises a current random code generated by the terminal; after the comparing the unique identification information with the authorization information of the terminal in the database, the method further includes:
when the unique identification information is the same as the authorization information of the terminal in the database, judging whether the current random code is the same as any one historical random code of the terminal;
and when the current random code is different from any one past random code of the terminal, determining that the terminal passes the port knock check.
6. The method according to claim 5, further comprising, after comparing the unique identification information with authorization information of the terminal in a database:
and when the current random code is the same as any one historical random code of the terminal, determining that the terminal does not pass the port knock check.
7. A data transmission apparatus, comprising:
the first receiving module is used for receiving a knocking request of a terminal to a target port;
the first door knocking module is used for carrying out first port door knocking verification on the terminal according to the door knocking request;
the second receiving module is used for opening the target port and receiving a data transmission request of the terminal to the target port when the terminal passes the first port knock verification;
and the second door knocking module is used for carrying out second port door knocking verification on the terminal according to the data transmission request and forwarding the data transmission request to a server through the target port when the terminal passes the second port door knocking verification.
8. The apparatus of claim 7, wherein the first knock module is configured to:
extracting the knock data of the terminal to the target port from the knock request, wherein the knock data carries an authorization key identification of the terminal;
and decrypting the knock data by adopting the authorization key corresponding to the authorization key identification to obtain knock plaintext data, and performing the first port knock verification on the terminal according to the knock plaintext data.
9. An electronic device, comprising:
a memory to store a computer program;
a processor to execute the computer program to implement the method of any one of claims 1 to 6.
10. A non-transitory electronic device readable storage medium, comprising: program which, when run by an electronic device, causes the electronic device to perform the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111151014.XA CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111151014.XA CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113904826A true CN113904826A (en) | 2022-01-07 |
| CN113904826B CN113904826B (en) | 2024-03-01 |
Family
ID=79189135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111151014.XA Active CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904826B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022099A (en) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | Identity authentication method and system based on UDP transmission protocol |
| CN117220976A (en) * | 2023-09-25 | 2023-12-12 | 北京网藤科技有限公司 | Method and system for improving compliance and safety of local network Web service |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248911A (en) * | 2017-06-02 | 2017-10-13 | 中国石油大学(华东) | A kind of hidden authentication method of sequence spreading knocked at the door based on address |
| CN108449354A (en) * | 2018-03-30 | 2018-08-24 | 杭州安恒信息技术股份有限公司 | A kind of reinforcing server log safety method, device and server based on agreement of knocking at the door |
| CN108900595A (en) * | 2018-06-25 | 2018-11-27 | 郑州云海信息技术有限公司 | Access method, apparatus, equipment and the calculation medium of cloud storage service device data |
| CN110830446A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA security verification method and device |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN113378141A (en) * | 2021-08-12 | 2021-09-10 | 明品云(北京)数据科技有限公司 | Text data transmission method, system, equipment and medium |
-
2021
- 2021-09-29 CN CN202111151014.XA patent/CN113904826B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248911A (en) * | 2017-06-02 | 2017-10-13 | 中国石油大学(华东) | A kind of hidden authentication method of sequence spreading knocked at the door based on address |
| CN108449354A (en) * | 2018-03-30 | 2018-08-24 | 杭州安恒信息技术股份有限公司 | A kind of reinforcing server log safety method, device and server based on agreement of knocking at the door |
| CN108900595A (en) * | 2018-06-25 | 2018-11-27 | 郑州云海信息技术有限公司 | Access method, apparatus, equipment and the calculation medium of cloud storage service device data |
| CN110830446A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA security verification method and device |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN113378141A (en) * | 2021-08-12 | 2021-09-10 | 明品云(北京)数据科技有限公司 | Text data transmission method, system, equipment and medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022099A (en) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | Identity authentication method and system based on UDP transmission protocol |
| CN117220976A (en) * | 2023-09-25 | 2023-12-12 | 北京网藤科技有限公司 | Method and system for improving compliance and safety of local network Web service |
| CN117220976B (en) * | 2023-09-25 | 2024-01-30 | 北京网藤科技有限公司 | Method and system for improving compliance and safety of local network Web service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113904826B (en) | 2024-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10652210B2 (en) | System and method for redirected firewall discovery in a network environment | |
| CN108429730B (en) | Non-feedback safety authentication and access control method | |
| US9210126B2 (en) | Method for secure single-packet authorization within cloud computing networks | |
| US20180332079A1 (en) | Efficient and secure user credential store for credentials enforcement using a firewall | |
| US9781114B2 (en) | Computer security system | |
| US20180309721A1 (en) | Credentials enforcement using a firewall | |
| US7552323B2 (en) | System, apparatuses, methods, and computer-readable media using identification data in packet communications | |
| US8806572B2 (en) | Authentication via monitoring | |
| US20130097692A1 (en) | System and method for host-initiated firewall discovery in a network environment | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| JP2014511616A (en) | Logic device, processing method and processing device | |
| Kumar et al. | Performance analysis of sdp for secure internal enterprises | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| CN112954683B (en) | Domain name resolution method, domain name resolution device, electronic equipment and storage medium | |
| CN115603932A (en) | Access control method, access control system and related equipment | |
| EP4351086A1 (en) | Access control method, access control system and related device | |
| US7594268B1 (en) | Preventing network discovery of a system services configuration | |
| US20110154469A1 (en) | Methods, systems, and computer program products for access control services using source port filtering | |
| US10313305B2 (en) | Method of unblocking external computer systems in a computer network infrastructure, distributed computer network having such a computer network infrastructure as well as computer program product | |
| CN116321136A (en) | Stealth gateway design method supporting multi-factor identity authentication | |
| Yang et al. | Security on ipv6 | |
| Mei et al. | Research and Defense of Cross-Site WebSocket Hijacking Vulnerability | |
| KR102668919B1 (en) | Protocol dialect for network system security | |
| CN118413380A (en) | Single-packet authentication-based firewall policy issuing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |